Your concerns are valid. To summarize:
Logging: YunoHost doesn’t log application-specific content beyond standard nginx/systemd logs. SearXNG is privacy-focused by design and doesn’t log search queries by default.
Encryption at rest: YunoHost doesn’t implement native at-rest encryption. For a VPS, you have a few options:
- Full disk encryption with LUKS + dropbear-initramfs for remote SSH unlock
- Encrypted volumes for specific directories (
/home/yunohost.app,/var/mail) - Application-level encryption where available
Keep in mind that on a VPS, LUKS protects against offline attacks but not against a malicious host with hypervisor access. For maximum privacy on a VPS you don’t physically control, consider application-level encryption combined with encrypted backups.
Relevant discussion: Disk encryption